It’s no surprise that cyber criminals target high-profile individuals or those with access privilege. Malicious actors often use social engineering and whale phishing attacks against these people to breach systems. But households and family members of company executives may also be the target of cyberattacks. In some cases, such as sextortion attempts, criminals demand monetary payment.
There’s also a new trend where family members are being targeted, but the actors aren’t asking for money. Instead, attackers seek network access, passwords and requests to download files — all in an attempt to reach bigger targets and carry out wider attacks.
In short, modern company security should also include household security.
No perimeter to secure
If anything, the pandemic eliminated any notion of perimeter-based security. How many companies these days have employees connecting from a distance? How many businesses have hundreds, if not thousands, of devices connecting to their network? While the security risks are clear, 24/7 availability from any place on any device enables brands to stay competitive. And this means security must extend to all endpoints, human and machine, to secure a company’s network.
While we obsess over online security, threat actors might not stay limited to digital-only tactics. For example, cyber pro Reuven Aronashvili reported a case that involved the teenage son of an executive. The actors threatened to reveal that the teen was gay — something he had not shared with his family at the time — unless he installed some files on his home Wi-Fi network. Once the files were installed, the attacker could then target his mother, the executive.
The FBI has also released a warning about the rise of “sextortion” attacks. As per the FBI, “Sextortion occurs when someone threatens to distribute your private and sensitive material if their demands are not met.”
Sextortion and social engineering
Sextortion may be considered a type of social engineering attack. Most victims report that the aggressor makes initial contact through dating websites or apps. After gaining confidence, the fraudster lures the target to continue the conversation on a private messaging platform.
The actor then encourages the victim to exchange sexually explicit material. They might invite them to video chats or ask for explicit photos. Once the victim complies, the criminal begins to demand money to prevent the release of the photos or videos on social media. The attacker may also gain access to the victim’s social media or contact information and threaten to send the images to the victim’s family and friends.
As per Aronashvili, a new type of sextortion attack — to demand file download or network access — is growing rapidly. He said these attacks were unheard of as recently as 2021 when most sextortion attempts demanded a straightforward payout.
“Now, by asking for access and file downloads, attackers are seeking to use sextortion as the first step in reaching potentially larger targets, with potentially larger profits,” he said. Attackers may initially target family members to eventually attack the company, its suppliers or its customers, according to Aronashvili.
Family cyber awareness is company cyber awareness
The reality is that nefarious actors frequently target young people. For example, recent reports suggest that online grooming crimes are rising. This alone makes it essential to teach family and household members about cyber risks. Now, criminals are also grooming family members hoping to gain access to company networks. So when security teams think about cyber awareness, they should be talking to teams about security at home as well.
These intrusions get too close for comfort in some cases. For example, Mandiant Consulting CTO Charles Carmakal shared a story about a client who was being extorted. Carmakal said the client received flowers from the threat actor with a very polite but intimidating message.
“It’s a very different story if you’re an executive of the company, and your daughter is being harassed by a threat actor. Your desire to pay or your willingness to pay shoots up tenfold when you’re dealing with personal attacks,” Carmakal said.
Beware of gamer fraud
Cyberattacks against gamers have seen rapid growth recently. And Kaspersky Lab reported that cyberattacks on young gamers shot up 57 percent in 2022. As per the report, cyber criminals launched more than 7 million attacks on children, exploiting popular game titles in 2022.
Phishing pages target young players by mimicking global titles, such as Roblox, Minecraft, Fortnite and Apex Legends games. The report points out that to reach parents’ devices, cyber criminals lure children to fake game sites and phishing pages to download malicious files.
It was also reported that a common social engineering method involves offers to download popular cheats and mods for games. On some phishing sites, kids can access a manual on how to properly install a cheat. The manual may even include specific instructions about how to disable the antivirus before installing a file. Some young players may fall for this, so any malware they download can avoid detection on the infected device. And the longer the user keeps their antivirus, the more information the malware can collect from the victim’s computer.
The report also noted that children’s games attacked even included games for the youngest players, such as Poppy Playtime and Toca Life World. These games are designed for 3 to 8-year-old players.
Bring cyber awareness home
Internet access makes every person in a household a potential victim. Crimes like kidnapping or sexual abuse can occur due to social engineering grooming. Plus, company breaches can occur due to sloppy cyber hygiene at home.
The Kaspersky report offers the following advice (adapted for this article):
- Show interest in your kids’ online activity. Sit down with them to watch their favorite series or listen to music tracks together.
- Consider using parental control apps, especially for the younger people at home. Don’t forget to explain how the apps work and why they’re important for safety.
- Teach kids that sensitive information should only be shared via messengers and only with people they know in real life. Be a role model and exhibit examples of good online behavior.
- Spend time talking to your kids about online safety measures. Encourage them to ask before downloading anything. Pay attention to your own habits.
- Make talks about cybersecurity more enjoyable and interesting by discussing them with your child through games and more engaging formats.
Cyber risk is more pervasive than ever — at work and at home. Educate yourself, your teams and your family. And stay secure.